Google: We've Stopped Most Gmail Account Hijacking

Google this week announced that since putting a system in place to check 120 different variables related to online sign-ins, it's reduced the incidence of Gmail account hijackings by 99.7% since they peaked in 2011.

That's welcome news for anyone who's experienced first-hand the joys of having a friend or acquaintance get their webmail account hijacked. Cue "urgent" appeals and fake sob stories about getting mugged in London just hours before being scheduled to return home. "Kindly help me send the money via Western Union Money Transfer to my name and hotel address below," read one widely distributed scam email.

More recently, scammers used compromised webmail accounts to send emails with a bit.ly link that led to a fake -- but real-looking -- careers page at "careers.nbcnews.com-iw9.net" that interwove content stolen from NBC with plugs for work-at-home operations and "home cash success." More often than not, such scams are just fronts for money mule operations.

"We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," said Google security engineer Mike Hearn in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second."

Most account takeovers are made by scammers seeking to reliably distribute greater amounts of spam. "Although spam filters have become very powerful -- in Gmail, less than 1% of spam emails make it into an inbox -- these unwanted messages are much more likely to make it through if they come from someone you've been in contact with before," Hearn said. "As a result, in 2010 spammers started changing their tactics -- and we saw a large increase in fraudulent mail sent from Google Accounts."

Google said its risk assessment system now successfully blocks most of these types of account takeovers. "Every time you sign in to Google, whether via your Web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you," said Hearn, noting that 120 different variables get assessed.

"If a sign-in is deemed suspicious or risky for some reason -- maybe it's coming from a country oceans away from your last sign-in -- we ask some simple questions about your account," he said. "For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner."

This type of adaptive authentication -- asking more questions whenever something looks suspicious -- isn't unique to Google, and is already available off-the-shelf from other security companies, such as RSA, which said its related software is now widely used by financial services firms.

The other day I was shut out from searching Google from my iphone because it said there had been suspicious activity from my device Gă˘-ßbut I was still able to sign into Gmail using the mail app. Eventually, the search warning went away. Interesting that I couldn't search for the closest pizza place, but could still access e-mail from a supposedly "compromised" device.

Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.